Container summary for suse/manager/5.0/x86_64/server-migration-14-16

SUSE-CU-2024:4397-1

SUSE-CU-2024:4379-1

This update for util-linux fixes the following issues:

• CVE-2024-28085: Properly neutralize escape sequences in wall to avoid potential account takeover. (bsc#1221831)

This update for e2fsprogs fixes the following issues:

• EA Inode handling fixes: - e2fsck: add more checks for ea inode consistency (bsc#1223596) - e2fsck: fix golden output of several tests (bsc#1223596)

This update for openssl-3 fixes the following issues:
Security issues fixed:

• CVE-2024-4603: Check DSA parameters for excessive sizes before validating (bsc#1224388)
• CVE-2024-4741: Fixed a use-after-free with SSL_free_buffers. (bsc#1225551)

• Enable livepatching support (bsc#1223428)
• Fix HDKF key derivation (bsc#1225291, gh#openssl/openssl#23448, + gh#openssl/openssl#23456)

This update for gcc13 fixes the following issues:
Update to GCC 13.3 release

• Removed Fiji support from the GCN offload compiler as that is requiring Code Object version 3 which is no longer supported by llvm18.
• Avoid combine spending too much compile-time and memory doing nothing on s390x. [bsc#1188441]
• Make requirement to lld version specific to avoid requiring the meta-package.

This update for util-linux fixes the following issue:

• Fix hang of lscpu -e (bsc#1225598)

This update for systemd contains the following fixes:

• testsuite: move a misplaced %endif

• Do not remove existing configuration files in /etc. If these files were modified on the systemd, that may cause unwanted side effects (bsc#1226415).

• Import upstream commit (merge of v254.13) Use the pty slave fd opened from the namespace when transient service is running in a container. This revert the backport of the broken commit until a fix is released in the v254-stable tree.

• Import upstream commit (merge of v254.11) For a complete list of changes, visit: https://github.com/openSUSE/systemd/compare/e8d77af4240894da620de74fbc7823aaaa448fef...85db84ee440eac202c4b5507e96e1704269179bc

This update for libxml2 fixes the following issues:

• CVE-2024-34459: Fixed buffer over-read in xmlHTMLPrintFileContext in xmllint.c (bsc#1224282).

This update for krb5 fixes the following issues:

• CVE-2024-37370: Fixed confidential GSS krb5 wrap tokens with invalid fields were errouneously accepted (bsc#1227186).
• CVE-2024-37371: Fixed invalid memory read when processing message tokens with invalid length fields (bsc#1227187).

This update for python3 fixes the following issues:

• CVE-2023-52425: Fixed backport so it uses features sniffing, not just comparing version number (bsc#1219559).
• CVE-2024-0450: Fixed detecting the vulnerability of 'quoted-overlap' zipbomb (bsc#1221854).
• CVE-2024-4032: Rearranging definition of private v global IP. (bsc#1226448)
• CVE-2024-0397: Remove a memory race condition in ssl.SSLContext certificate store methods. (bsc#1226447)

This update for shadow fixes the following issues:

• CVE-2013-4235: Fixed a race condition when copying and removing directory trees (bsc#916845).

This update for openssl-3 fixes the following issues:
Security fixes:

• CVE-2024-5535: Fixed SSL_select_next_proto buffer overread (bsc#1227138)

• Build with no-afalgeng (bsc#1226463)
• Build with enabled sm2 and sm4 support (bsc#1222899)
• Fix non-reproducibility issue (bsc#1223336)

This update for systemd fixes the following issues:
systemd was updated from version 254.13 to version 254.15:

• Changes in version 254.15:

• Changes in version 254.14:

This update for permissions fixes the following issue:

• cockpit: moved setuid executable (bsc#1228548)

This update for shadow fixes the following issues:

• Fixed not copying of skel files (bsc#1228770)

This update for util-linux fixes the following issues:

• agetty: Prevent login cursor escape (bsc#1194818).
• Document unexpected side effects of lazy destruction (bsc#1159034).
• Don't delete binaries not common for all architectures. Create an util-linux-extra subpackage instead, so users of third party tools can use them (bsc#1222285).
• Improved man page for chcpu (bsc#1218609).

This update for openssl-1_1 fixes the following issues:

• CVE-2024-5535: Fixed a buffer overread in function SSL_select_next_proto() with an empty supported client protocols buffer (bsc#1227138)

• Build with no-afalgeng. (bsc#1226463)
• Fixed C99 violations to allow the package to build with GCC 14. (bsc#1225907)

This update for pam fixes the following issue:

• Prevent cursor escape from the login prompt (bsc#1194818).

This update for openssl-3 fixes the following issues:

• CVE-2024-6119: Fixed denial of service in X.509 name checks (bsc#1229465)

• FIPS: Deny SHA-1 signature verification in FIPS provider (bsc#1221365).
• FIPS: RSA keygen PCT requirements.
• FIPS: Check that the fips provider is available before setting it as the default provider in FIPS mode (bsc#1220523).
• FIPS: Port openssl to use jitterentropy (bsc#1220523).
• FIPS: Block non-Approved Elliptic Curves (bsc#1221786).
• FIPS: Service Level Indicator (bsc#1221365).
• FIPS: Output the FIPS-validation name and module version which uniquely identify the FIPS validated module (bsc#1221751).
• FIPS: Add required selftests: (bsc#1221760).
• FIPS: DH: Disable FIPS 186-4 Domain Parameters (bsc#1221821).
• FIPS: Recommendation for Password-Based Key Derivation (bsc#1221827).
• FIPS: Zero initialization required (bsc#1221752).
• FIPS: Reseed DRBG (bsc#1220690, bsc#1220693, bsc#1220696).
• FIPS: NIST SP 800-56Brev2 (bsc#1221824).
• FIPS: Approved Modulus Sizes for RSA Digital Signature for FIPS 186-4 (bsc#1221787).
• FIPS: Port openssl to use jitterentropy (bsc#1220523).
• FIPS: NIST SP 800-56Arev3 (bsc#1221822).
• FIPS: Error state has to be enforced (bsc#1221753).

This update for permissions fixes the following issues:

• Update to version 20240826: * permissions: remove outdated entries (bsc#1228968)

• Update to version 20240826: * cockpit: revert path change (bsc#1229329)

This update for postgresql16 fixes the following issues:

• Upgrade to 16.4 (bsc#1229013)
• CVE-2024-7348: PostgreSQL relation replacement during pg_dump executes arbitrary SQL. (bsc#1229013)
• CVE-2024-4317: Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to the table owner. See the release notes for the steps that have to be taken to fix existing PostgreSQL instances. (bsc#1224038)

This update for postgresql16 fixes the following issues:

• Upgrade to 14.13 (bsc#1229013)
• CVE-2024-7348: PostgreSQL relation replacement during pg_dump executes arbitrary SQL. (bsc#1229013)

This update for glibc fixes the following issue:

• s390x-wcsncmp patch for s390x: Fix segfault in wcsncmp (bsc#1228042).

SUSE-CU-2024:3214-1

SUSE-CU-2024:3213-1

This update for coreutils fixes the following issues:

• ls: avoid triggering automounts (bsc#1221632)

This update for glibc fixes the following issues:

• Also include stat64 in the 32-bit libc_nonshared.a workaround (bsc#1221482)

This update for jitterentropy fixes the following issues:

• Fixed a stack corruption on s390x: [bsc#1209627] * Output size of the STCKE command on s390x is 16 bytes, compared to 8 bytes of the STCK command. Fix a stack corruption in the s390x version of jent_get_nstime(). Add some more detailed information on the STCKE command.

• add FIPS 140 hints to man page
• simplify the test tool to search for optimal configurations
• fix: jent_loop_shuffle: re-add setting the time that was lost with 3.4.0
• enhancement: add ARM64 assembler code to read high-res timer

This update for openssl-1_1 fixes the following issues:

• CVE-2024-4741: Fixed a use-after-free with SSL_free_buffers. (bsc#1225551)

This update for postgresql14 fixes the following issues:

• Upgrade to 14.12 (bsc#1224051):
• CVE-2024-4317: Restrict visibility of pg_stats_ext and pg_stats_ext_exprs entries to the table owner. See release notes for the steps that have to be taken to fix existing PostgreSQL instances. (bsc#1224038)

This update for postgresql16 fixes the following issues:
PostgreSQL upgrade to version 16.3 (bsc#1224051):

• CVE-2024-4317: Fixed visibility restriction of pg_stats_ext and pg_stats_ext_exprs entries to the table owner (bsc#1224038).

• Fix incompatibility with LLVM 18.
• Prepare for PostgreSQL 17.
• Make sure all compilation and doc generation happens in %build.
• Require LLVM <= 17 for now, because LLVM 18 doesn't seem to work.
• Remove constraints file because improved memory usage for s390x
• Use %patch -P N instead of deprecated %patchN.

• https://www.postgresql.org/docs/release/16.3/

SUSE-CU-2024:2291-1

This update for perl fixes the following issues:
Security issues fixed:

• CVE-2018-6913: Fixed space calculation issues in pp_pack.c (bsc#1082216)
• CVE-2018-6798: Fixed heap buffer overflow in regexec.c (bsc#1082233)

• make Net::FTP work with TLS 1.3 (bsc#1213638)

SUSE-CU-2024:1691-1

This update for python3 fixes the following issues:

• CVE-2023-6597: Fixed symlink bug in cleanup of tempfile.TemporaryDirectory (bsc#1219666).
• CVE-2022-48566: Make compare_digest more constant-time (bsc#1214691).

This update for audit fixes the following issue:

• Fix plugin termination when using systemd service units (bsc#1215377)

This update for coreutils fixes the following issues:

• tail: fix tailing sysfs files where PAGE_SIZE > BUFSIZ (bsc#1219321)

This update for expat fixes the following issues:

• CVE-2023-52425: Fixed a DoS caused by processing large tokens. (bsc#1219559)
• CVE-2024-28757: Fixed an XML Entity Expansion. (bsc#1221289)

This update for ncurses fixes the following issues:

• CVE-2023-45918: Fixed NULL pointer dereference via corrupted xterm-256color file (bsc#1220061).

This update for gcc13 fixes the following issues:

• Fix unwinding for JIT code. [bsc#1221239]
• Revert libgccjit dependency change. [bsc#1220724]
• Remove crypt and crypt_r interceptors. The crypt API change in SLE15 SP3 breaks them. [bsc#1219520]
• Add support for -fmin-function-alignment. [bsc#1214934]
• Use %{_target_cpu} to determine host and build.
• Fix for building TVM. [bsc#1218492]
• Add cross-X-newlib-devel requires to newlib cross compilers. [bsc#1219031]
• Package m2rte.so plugin in the gcc13-m2 sub-package rather than in gcc13-devel. [bsc#1210959]
• Require libstdc++6-devel-gcc13 from gcc13-m2 as m2 programs are linked against libstdc++6.
• Fixed building mariadb on i686. [bsc#1217667]
• Avoid update-alternatives dependency for accelerator crosses.
• Package tool links to llvm in cross-amdgcn-gcc13 rather than in cross-amdgcn-newlib13-devel since that also has the dependence.
• Depend on llvmVER instead of llvm with VER equal to %product_libs_llvm_ver where available and adjust tool discovery accordingly. This should also properly trigger re-builds when the patchlevel version of llvmVER changes, possibly changing the binary names we link to. [bsc#1217450]

This update for python3 fixes the following issue:

• Fix syslog making default 'ident' from sys.argv (bsc#1222109)

SUSE-CU-2024:807-1

This update for timezone provides the following fixes:

• North Korea switches back from +0830 to +09 on 2018-05-05.
• Ireland's standard time is in the summer, with negative DST offset to standard time used in Winter. (bsc#1073299)
• yast2-country is no longer setting TIMEZONE in /etc/sysconfig/clock and is calling systemd timedatectl instead. Do not set /etc/localtime on timezone package updates to avoid setting an incorrect timezone. (bsc#1093392)

This update for timezone, timezone-java fixes the following issues:
The timezone database was updated to 2018f:

• Volgograd moves from +03 to +04 on 2018-10-28.
• Fiji ends DST 2019-01-13, not 2019-01-20.
• Most of Chile changes DST dates, effective 2019-04-06 (bsc#1104700)
• Corrections to past timestamps of DST transitions
• Use 'PST' and 'PDT' for Philippine time
• minor code changes to zic handling of the TZif format
• documentation updates

• Fixed a zic problem with the 1948-1951 DST transition in Japan (bsc#1112310)

This update provides the latest time zone definitions (2018g), including the following change:

• Morocco switched from +00/+01 to permanent +01 effective 2018-10-28 (bsc#1113554)

This update for pam fixes the following issues:

• Remove limits for nproc from /etc/security/limits.conf (bsc#1110700)

The GNU Compiler GCC 8 is being added to the Development Tools Module by this update.
The update also supplies gcc8 compatible libstdc++, libgcc_s1 and other gcc derived libraries for the Basesystem module of SUSE Linux Enterprise 15.
Various optimizers have been improved in GCC 8, several of bugs fixed, quite some new warnings added and the error pin-pointing and fix-suggestions have been greatly improved.
The GNU Compiler page for GCC 8 contains a summary of all the changes that have happened:
https://gcc.gnu.org/gcc-8/changes.html
Also changes needed or common pitfalls when porting software are described on:
https://gcc.gnu.org/gcc-8/porting_to.html

This update for pam fixes the following issue:
Security issue fixed:

• CVE-2018-17953: Fixed IP address and subnet handling of pam_access.so that was not honoured correctly when a single host was specified (bsc#1115640).

This update for ncurses fixes the following issues:
Security issue fixed:

• CVE-2018-19211: Fixed denial of service issue that was triggered by a NULL pointer dereference at function _nc_parse_entry (bsc#1115929).

• Remove scree.xterm from terminfo data base as with this screen uses fallback TERM=screen (bsc#1103320).

This update for acl fixes the following issues:

• test: Add helper library to fake passwd/group files.
• quote: Escape literal backslashes. (bsc#953659)

This update for timezone fixes the following issues:

• Update 2018i: São Tomé and Príncipe switches from +01 to +00 on 2019-01-01. (bsc#1120402)
• Update 2018h: Qyzylorda, Kazakhstan moved from +06 to +05 on 2018-12-21 New zone Asia/Qostanay because Qostanay, Kazakhstan didn't move Metlakatla, Alaska observes PST this winter only Guess Morocco will continue to adjust clocks around Ramadan Add predictions for Iran from 2038 through 2090

This update for lua53 fixes the following issues:
Security issue fixed:

• CVE-2019-6706: Fixed a use-after-free bug in the lua_upvaluejoin function of lapi.c (bsc#1123043)

This update for file fixes the following issues:
The following security vulnerabilities were addressed:

• CVE-2018-10360: Fixed an out-of-bounds read in the function do_core_note in readelf.c, which allowed remote attackers to cause a denial of service (application crash) via a crafted ELF file (bsc#1096974)
• CVE-2019-8905: Fixed a stack-based buffer over-read in do_core_note in readelf.c (bsc#1126118)
• CVE-2019-8906: Fixed an out-of-bounds read in do_core_note in readelf. c (bsc#1126119)
• CVE-2019-8907: Fixed a stack corruption in do_core_note in readelf.c (bsc#1126117)

This update for timezone fixes the following issues:
timezone was updated 2019a:

• Palestine 'springs forward' on 2019-03-30 instead of 2019-03-23
• Metlakatla 'fell back' to rejoin Alaska Time on 2019-01-20 at 02:00
• Israel observed DST in 1980 (08-02/09-13) and 1984 (05-05/08-25)
• zic now has an -r option to limit the time range of output data

This update for tar fixes the following issues:
Security issues fixed:

• CVE-2019-9923: Fixed a denial of service while parsing certain archives with malformed extended headers in pax_decode_header() (bsc#1130496).
• CVE-2018-20482: Fixed a denial of service when the '--sparse' option mishandles file shrinkage during read access (bsc#1120610).

This update for sles12sp3-docker-image, sles12sp4-image, system-user-root fixes the following issues:

• CVE-2019-5021: Include an invalidated root password by default, not an empty one (bsc#1134524)

This update for timezone fixes the following issues:

• Timezone update 2019b. (bsc#1140016): - Brazil no longer observes DST. - 'zic -b slim' outputs smaller TZif files. - Palestine's 2019 spring-forward transition was on 03-29, not 03-30. - Add info about the Crimea situation.

This update for timezone fixes the following issues:

• Fiji observes DST from 2019-11-10 to 2020-01-12.
• Norfolk Island starts observing Australian-style DST.

This update for ncurses fixes the following issues:
Security issues fixed:

• CVE-2019-17594: Fixed a heap-based buffer over-read in the _nc_find_entry function (bsc#1154036).
• CVE-2019-17595: Fixed a heap-based buffer over-read in the fmt_entry function (bsc#1154037).

• Removed screen.xterm from terminfo database (bsc#1103320).

This update includes the GNU Compiler Collection 9.
A full changelog is provided by the GCC team on:
https://www.gnu.org/software/gcc/gcc-9/changes.html

The base system compiler libraries libgcc_s1, libstdc++6 and others are now built by the gcc 9 packages.
To use it, install 'gcc9' or 'gcc9-c++' or other compiler brands and use CC=gcc-9 / CXX=g++-9 during configuration for using it.

Security issues fixed:

• CVE-2019-15847: Fixed a miscompilation in the POWER9 back end, that optimized multiple calls of the __builtin_darn intrinsic into a single call. (bsc#1149145)
• CVE-2019-14250: Fixed a heap overflow in the LTO linker. (bsc#1142649)

• Split out libstdc++ pretty-printers into a separate package supplementing gdb and the installed runtime. (bsc#1135254)
• Fixed miscompilation for vector shift on s390. (bsc#1141897)

This update for libidn2 to version 2.2.0 fixes the following issues:

• CVE-2019-12290: Fixed an improper round-trip check when converting A-labels to U-labels (bsc#1154884).
• CVE-2019-18224: Fixed a heap-based buffer overflow that was caused by long domain strings (bsc#1154887).

This update for pam fixes the following issues:

• Add libdb as build-time dependency to enable pam_userdb module. Enable pam_userdb.so (jsc#sle-7258, bsc#1164562)

This update for PAM fixes the following issue:

• The license of libdb linked against pam_userdb is not always wanted, so we temporary disabled pam_userdb again. It will be published in a different package at a later time. (bsc#1166510)

This update for pam fixes the following issues:

• Moved pam_userdb into a separate package pam-extra. (bsc#1166510)

This update for gmp, gnutls, libnettle fixes the following issues:
Security issue fixed:

• CVE-2020-11501: Fixed zero random value in DTLS client hello (bsc#1168345)

• FIPS: Install checksums for binary integrity verification which are required when running in FIPS mode (bsc#1152692, jsc#SLE-9518)
• FIPS: Fixed a cfb8 decryption issue, no longer truncate output IV if input is shorter than block size. (bsc#1166881)
• FIPS: Added Diffie Hellman public key verification test. (bsc#1155327)

This update for gcc9 fixes the following issues:
This update ships the GCC 9.3 release.

• Includes a fix for Internal compiler error when building HepMC (bsc#1167898)
• Includes fix for binutils version parsing
• Add libstdc++6-pp provides and conflicts to avoid file conflicts with same minor version of libstdc++6-pp from gcc10.
• Add gcc9 autodetect -g at lto link (bsc#1149995)
• Install go tool buildid for bootstrapping go

This update for file fixes the following issues:
Security issues fixed:

• CVE-2019-18218: Fixed a heap-based buffer overflow in cdf_read_property_info() (bsc#1154661).

• Fixed broken '--help' output (bsc#1169512).

This update for timezone fixes the following issues:

• timezone update 2020a. (bsc#1169582) * Morocco springs forward on 2020-05-31, not 2020-05-24. * Canada's Yukon advanced to -07 year-round on 2020-03-08. * America/Nuuk renamed from America/Godthab. * zic now supports expiration dates for leap second lists.

This update for grep fixes the following issues:

• Update testsuite expectations, no functional changes (bsc#1155271)

This update for timezone fixes the following issue:

• zdump --version reported 'unknown' (bsc#1172055)

This update for diffutils fixes the following issue:

• Disable a sporadically failing test for ppc64 and ppc64le builds. (bsc#1156913)

This update for gcc10, nvptx-tools fixes the following issues:
This update provides the GCC10 compiler suite and runtime libraries.
The base SUSE Linux Enterprise libraries libgcc_s1, libstdc++6 are replaced by the gcc10 variants.
The new compiler variants are available with '-10' suffix, you can specify them via:
CC=gcc-10 CXX=g++-10
or similar commands.
For a detailed changelog check out https://gcc.gnu.org/gcc-10/changes.html
Changes in nvptx-tools:

• Enable build on aarch64

This update for file fixes the following issues:

• Fixes an issue when file displays broken 'ELF' interpreter. (bsc#1176123)

This update for timezone fixes the following issues:

• timezone update 2020b (bsc#1177460) * Revised predictions for Morocco's changes starting in 2023. * Canada's Yukon changes to -07 on 2020-11-01, not 2020-03-08. * Macquarie Island has stayed in sync with Tasmania since 2011. * Casey, Antarctica is at +08 in winter and +11 in summer. * zic no longer supports -y, nor the TYPE field of Rules.

This update for timezone fixes the following issues:

• Generate 'fat' timezone files (was default before 2020b). (bsc#1178346, bsc#1178350, bsc#1178353)
• Palestine ends DST earlier than predicted, on 2020-10-24. (bsc#1177460)
• Fiji starts DST later than usual, on 2020-12-20. (bsc#1177460)

This update for pam and sudo fixes the following issue:
pam:

• pam_xauth: do not *free* a string which has been successfully passed to *putenv*. (bsc#1177858)
• Initialize the local variable *daysleft* to avoid a misleading warning for password expire days. (bsc#1178727)
• Run /usr/bin/xauth using the old user's and group's identifiers. (bsc#1174593)

• Fix a problem with pam_xauth which checks effective and real uids to get the real identity of the user. (bsc#1174593)

This update for pam fixes the following issues:

• Check if the password is part of the username. (jsc#SLE-16719, jsc#SLE-16720) - Check whether the password contains a substring of of the user's name of at least `` characters length in some form. This is enabled by the new parameter `usersubstr=`

This update for gzip fixes the following issue:

• Enable `DFLTCC` (Deflate Conversion Call) compression for s390x for levels 1-6 to `CFLAGS`. (jsc#SLE-13775) Enable by adding `-DDFLTCC_LEVEL_MASK=0x7e` to `CFLAGS`.

This update for libidn2 fixes the following issues:

• The library is actually dual licensed, GPL-2.0-or-later or LGPL-3.0-or-later, adjusted the RPM license tags (bsc#1180138)

This update for timezone fixes the following issues:

• timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug.

• timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00.

• timezone update 2020f (bsc#1177460) * 'make rearguard_tarballs' no longer generates a bad rearguard.zi, fixing a 2020e bug.

• timezone update 2020e (bsc#1177460) * Volgograd switches to Moscow time on 2020-12-27 at 02:00.

This update for keyutils fixes the following issues:

• Adjust the library license to be LPGL-2.1+ only (the tools are GPL2+, the library is just LGPL-2.1+) (bsc#1180603)

This update for gmp fixes the following issues:

• correct license statements of packages (library itself is no GPL-3.0) (bsc#1180603)

This update for timezone fixes the following issues:

• timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.

• timezone update 2021a (bsc#1177460) * South Sudan changes from +03 to +02 on 2021-02-01 at 00:00.

This update for pam fixes the following issues:

• Added rpm macros for this package, so that other packages can make use of it

This update for filesystem the following issues:

• Remove duplicate line due to merge error
• Add fix for 'mesa' creating cache with perm 0700. (bsc#1181011)
• Fixed an issue causing failure during installation/upgrade a failure. (rh#1548403) (bsc#1146705)
• Allows to override config to add cleanup options of '/var/tmp'. (bsc#1078466)
• Create config to cleanup '/tmp' regular required with 'tmpfs'. (bsc#1175519)

• Fix for a possible memory leak. (bsc#1180020)
• Fix for a case when to a bind mounted directory results inactive mount units. (#7811) (bsc#1180596)
• Fixed an issue when starting a container conflicts with another one. (bsc#1178775)
• Drop most of the tmpfiles that deal with generic paths and avoid warnings. (bsc#1078466, bsc#1181831)
• Don't use shell redirections when calling a rpm macro. (bsc#1183094)
• 'systemd' requires 'aaa_base' >= 13.2. (bsc#1180083)

This update for libreoffice provides the upgrade from version 6.4.5.2 to 7.1.1.2 (jsc#ECO-3150, bsc#1182790)

libreoffice:

• Image shown with different aspect ratio (bsc#1176547)
• Text changes are reproducibly lost on PPTX with SmartArt (bsc#1181644)
• Adjust to new Box2D and enable KDE on SUSE Linux Enterprise 15-SP3 or newer (jsc#ECO-3375)
• Wrong bullet points in Impress (bsc#1174465)
• SmartArt: text wrongly aligned, background boxes not quite right (bsc#1177955)
• Update the SUSE color palette to reflect the new SUSE branding. (bsc#1181122, bsc#1173471) - SUSE Mint - SUSE Midnight Blue - SUSE Waterhole Blue - SUSE Persimmon
• Fix a crash opening a PPTX. (bsc#1179025)
• Fix text box from PowerPoint renders vertically instead of horizontally (bsc#1178807)
• Shadow effects for table completely missing (bsc#1178944, bsc#1178943)
• Disable firebird integration for the time being (bsc#1179203)
• Fixes hang on Writer on scrolling/saving of a document (bsc#1136234)
• Wrong rendering of bulleted lists in PPTX document (bsc#1155141)
• Sidebar: paragraph widget: numeric fields become inactive/unaccessible after saving (bsc#1173404)
• Crash of Writer opening any document having 'invalid' python file in home directory (bsc#1116658)

• fixed a build issue on 32-bit linux platforms, caused by slicing of integer string ID values.
• worked around floating point rounding errors which prevented two theoretically-equal numeric values from being evaluated as equal in test code.
• added new function to allow printing of single formula tokens.
• added method for setting cached results on formula cells in model_context.
• changed the model_context design to ensure that all sheets are of the same size.
• added an accessor method to formula_model_access interface (and implicitly in model_context) that directly returns a string value from cell.
• added cell_access class for querying of cell states without knowing its type ahead of time.
• added document class which provides a layer on top of model_context, to abstract away the handling of formula calculations.
• deprecated model_context::erase_cell() in favor of empty_cell().
• added support for 3D references - references that contain multiple sheets.
• added support for the exponent (^) and concatenation (&) operators.
• fixed incorrect handling of range references containing whole columns such as A:A.
• added support for unordered range references - range references whose start row or column is greater than their end position counterparts, such as A3:A1.
• fixed a bug that prevented nested formula functions from working properly.
• implemented Calc A1 style reference resolver.
• formula results now directly store the string values when the results are of string type. They previously stored string ID values after interning the original strings.
• Removed build-time dependency on spdlog.

• add a parser for Jazz(Lotus) writer and spreasheet files. The writer parser can only be called if the file still contains its resource fork
• add a parser for Canvas 3 and 3.5 files
• AppleWorks parser: try to retrieve more Windows presentation
• add a parser for Drawing Table files
• add a parser for Canvas 2 files
• API: add new reserved enums in MWAWDocument.hxx `MWAW_T_RESERVED10..MWAW_T_RESERVED29` and add a new define in libmwaw.hxx `MWAW_INTERFACE_VERSION` to check if these enums are defined
• remove the QuarkXPress parser (must be in libqxp)
• retrieve the annotation in MsWord 5 document
• try to better understand RagTime 5-6 document

• Add upstream changes to fix build with GCC 11 (bsc#1181872)

• fix `text:sender-lastname` when creating meta-data

• XYWrite: add a parser to .fil v2 and v4 files
• wks,wk1: correct some problems when retrieving cell's reference.

• See also: https://www.glfw.org/changelog.html
• Sort list of input files to geany for reproducible builds (bsc#1049382, bsc#1041090) * Require pkgconfig(gl) for the devel package to supply needed include GL/gl.h * glfwFocusWindow could terminate on older WMs or without a WM * Creating an undecorated window could fail with BadMatch * Querying a disconnected monitor could segfault * Video modes with a duplicate screen area were discarded * The CMake files did not check for the XInput headers * Key names were not updated when the keyboard layout changed * Decorations could not be enabled after window creation * Content scale fallback value could be inconsistent * Disabled cursor mode was interrupted by indicator windows * Monitor physical dimensions could be reported as zero mm * Window position events were not emitted during resizing * Added on-demand loading of Vulkan and context creation API libraries * [X11] Bugfix: Window size limits were ignored if the minimum or maximum size was set to `GLFW_DONT_CARE` * [X11] Bugfix: Input focus was set before window was visible, causing BadMatch on some non-reparenting WMs * [X11] Bugfix: glfwGetWindowPos and glfwSetWindowPos operated on the window frame instead of the client area * [WGL] Added reporting of errors from `WGL_ARB_create_context` extension * [EGL] Added lib prefix matching between EGL and OpenGL ES library binaries * [EGL] Bugfix: Dynamically loaded entry points were not verified
• Made build of geany-tags optional.

This update for tar fixes the following issues:
CVE-2021-20193: Memory leak in read_header() in list.c (bsc#1181131)

This update for gzip fixes the following issues:

• Fixes an issue when 'gzexe' counts the lines to skip wrong. (bsc#1180713)

This update for gzip fixes the following issues:

• Fixed a potential segfault when zlib acceleration is enabled (bsc#1177047)

This update for pam fixes the following issues:

• Fixed a bug, where the 'unlimited'/'-1' value was not interpreted correctly (bsc#1181443)
• Fixed a bug, where pam_access interpreted the keyword 'LOCAL' incorrectly, leading to an attempt to resolve it as a hostname (bsc#1184358)
• In the 32-bit compatibility package for 64-bit architectures, require 'systemd-32bit' to be also installed as it contains pam_systemd.so for 32 bit applications. (bsc#1185562)

This update for gcc10 fixes the following issues:

• Disable nvptx offloading for aarch64 again since it doesn't work
• Fixed a build failure issue. (bsc#1182016)
• Fix for memory miscompilation on 'aarch64'. (bsc#1178624, bsc#1178577)
• Fix 32bit 'libgnat.so' link. (bsc#1178675)
• prepare usrmerge: Install libgcc_s into %_libdir. ABI wise it stays /%lib. (bsc#1029961)
• Build complete set of multilibs for arm-none target. (bsc#1106014)

This update for gzip fixes the following issue:

• gzip had a lower release number in 15 sp2 and sp3 than in 15 sp1, which could lead to migration issues. (bsc#1186642)

This update for automake fixes the following issues:

• Implement generated autoconf makefiles reproducible (bsc#1182604)
• Add fix to avoid date variations in docs. (bsc#1047218, jsc#SLE-17848)
• Avoid bashisms in test-driver script. (bsc#1185540)

• Do not run profiling 'check' in parallel to make package build reproducible. (bsc#1040589)

• Add fixes to support reproducible builds. (bsc#1186049)

This update for tar fixes the following issues:

• Link '/var/lib/tests/tar/bin/genfile' as Position-Independent Executable (bsc#1184124)

This update for lua53 fixes the following issues:
Update to version 5.3.6:

• CVE-2020-24371: lgc.c mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage (bsc#1175449)
• CVE-2020-24370: ldebug.c allows a negation overflow and segmentation fault in getlocal and setlocal (bsc#1175448)
• Long brackets with a huge number of '=' overflow some internal buffer arithmetic.

This update for timezone fixes the following issue:

• From systemd v249: when enumerating time zones the timedatectl tool will now consult the 'tzdata.zi' file shipped by

This update for python3 fixes the following issues:

• Fixed an issue when the missing 'stropts.h' causing build errors for different python modules. (bsc#1187338)

This update for file fixes the following issues:

• Fixes exception thrown by memory allocation problem (bsc#1189996)

This update for ncurses fixes the following issues:

• CVE-2021-39537: Fixed an heap-based buffer overflow in _nc_captoinfo. (bsc#1190793)

This update for pam fixes the following issues:

• Added pam_faillock to the set of available PAM modules. (jsc#SLE-20638)
• Added new file macros.pam on request of systemd. (bsc#1190052)

This update for pam fixes the following issues:

• Fixed a bad directive file which resulted in the 'securetty' file to be installed as 'macros.pam'. (bsc#1191987)

This update for pcre fixes the following issues:
Update pcre to version 8.45:

• CVE-2020-14155: Fixed integer overflow via a large number after a '(?C' substring (bsc#1172974).
• CVE-2019-20838: Fixed buffer over-read in JIT compiler (bsc#1172973)

This update for gcc11 fixes the following issues:
The additional GNU compiler collection GCC 11 is provided:
To select these compilers install the packages:

• gcc11
• gcc-c++11
• and others with 11 prefix.

• CC='gcc-11'
• CXX='g++-11'

This update for timezone fixes the following issues:
Update timezone to 2021e (bsc#1177460)

• Palestine will fall back 10-29 (not 10-30) at 01:00
• Fiji suspends DST for the 2021/2022 season
• 'zic -r' marks unspecified timestamps with '-00'
• Fix a bug in 'zic -b fat' that caused old timestamps to be mishandled in 32-bit-only readers
• Refresh timezone info for china

This update for keyutils fixes the following issues:

• Add /etc/keys/ and /usr/etc/keys/ directory (bsc#1187654)

• Revert the change notifications that were using /dev/watch_queue.
• Apply the change notifications that use pipe2(O_NOTIFICATION_PIPE).
• Allow 'keyctl supports' to retrieve raw capability data.
• Allow 'keyctl id' to turn a symbolic key ID into a numeric ID.
• Allow 'keyctl new_session' to name the keyring.
• Allow 'keyctl add/padd/etc.' to take hex-encoded data.
• Add 'keyctl watch*' to expose kernel change notifications on keys.
• Add caps for namespacing and notifications.
• Set a default TTL on keys that upcall for name resolution.
• Explicitly clear memory after it's held sensitive information.
• Various manual page fixes.
• Fix C++-related errors.
• Add support for keyctl_move().
• Add support for keyctl_capabilities().
• Make key=val list optional for various public-key ops.
• Fix system call signature for KEYCTL_PKEY_QUERY.
• Fix 'keyctl pkey_query' argument passing.
• Use keyctl_read_alloc() in dump_key_tree_aux().
• Various manual page fixes.

• Apply various specfile cleanups from Fedora.
• request-key: Provide a command line option to suppress helper execution.
• request-key: Find least-wildcard match rather than first match.
• Remove the dependency on MIT Kerberos.
• Fix some error messages
• keyctl_dh_compute.3: Suggest /proc/crypto for list of available hashes.
• Fix doc and comment typos.
• Add public key ops for encrypt, decrypt, sign and verify (needs linux-4.20).
• Add pkg-config support for finding libkeyutils.
• upstream isn't offering PGP signatures for the source tarballs anymore

• Add keyring restriction support.
• Add KDF support to the Diffie-Helman function.
• DNS: Add support for AFS config files and SRV records

This update for brotli fixes the following issues:

• CVE-2020-8927: Fixed integer overflow when input chunk is larger than 2GiB (bsc#1175825).

This update for gmp fixes the following issues:

• CVE-2021-43618: Fixed buffer overflow via crafted input in mpz/inp_raw.c (bsc#1192717).

This update for python3 fixes the following issues:

• CVE-2021-3426: Fixed information disclosure via pydoc (bsc#1183374).
• CVE-2021-3733: Fixed infinitely reading potential HTTP headers after a 100 Continue status response from the server (bsc#1189241).
• CVE-2021-3737: Fixed ReDoS in urllib.request (bsc#1189287).

• We do not require python-rpm-macros package (bsc#1180125).
• Use versioned python-Sphinx to avoid dependency on other version of Python (bsc#1183858).
• Stop providing 'python' symbol, which means python2 currently (bsc#1185588).
• Modify Lib/ensurepip/__init__.py to contain the same version numbers as are in reality the ones in the bundled wheels (bsc#1187668).

This update for python3 fixes the following issues:

• Don't use OpenSSL 1.1 on platforms which don't have it.

• Remove shebangs from python-base libraries in '_libdir'. (bsc#1193179, bsc#1192249).
• Build against 'openssl 1.1' as it is incompatible with 'openssl 3.0+' (bsc#1190566)
• Fix for permission error when changing the mtime of the source file in presence of 'SOURCE_DATE_EPOCH'.

This update for filesystem fixes the following issues:

• Release ported filesystem to LTSS channels (bsc#1190447).

This update for update-alternatives fixes the following issues:

• Break bash - update-alternatives cycle rewrite of '%post' in 'lua'. (bsc#1195654)

This update for openssl-1_1 fixes the following issues:
openssl-1_1:

• Fix PAC pointer authentication in ARM (bsc#1195856)
• Pull libopenssl-1_1 when updating openssl-1_1 with the same version (bsc#1195792)
• FIPS: Fix function and reason error codes (bsc#1182959)
• Enable zlib compression support (bsc#1195149)

• Resolve installation issue of `glibc-devel` in SUSE Linux Enterprise Micro 5.1

• Resolve installation issue of `linux-kernel-headers` in SUSE Linux Enterprise Micro 5.1

• Resolve installation issue of `libxcrypt-devel` in SUSE Linux Enterprise Micro 5.1

• Resolve installation issue of `zlib-devel` in SUSE Linux Enterprise Micro 5.1

This update for filesystem and systemd-rpm-macros fixes the following issues:
filesystem:

• Add path /lib/modprobe.d (bsc#1196275, jsc#SLE-20639)

• Make %_modprobedir point to /lib/modprobe.d (bsc#1196275, bsc#1196406)

This update for python3 fixes the following issues:

• CVE-2021-3572: Fixed an improper handling of unicode characters in pip (bsc#1186819).

This update for pam fixes the following issues:

• Define _pam_vendordir as the variable is needed by systemd and others. (bsc#1196093)
• Between allocating the variable 'ai' and free'ing them, there are two 'return NO' were we don't free this variable. This patch inserts freaddrinfo() calls before the 'return NO;'s. (bsc#1197024)

This update for timezone fixes the following issues:

• timezone update 2022a (bsc#1177460): * Palestine will spring forward on 2022-03-27, not on 03-26 * `zdump -v` now outputs better failure indications * Bug fixes for code that reads corrupted TZif data

This update for libtirpc fixes the following issues:

• Add option to enforce connection via protocol version 2 first (bsc#1196647)

This update for gcc11 fixes the following issues:

• Add a list of Obsoletes to libstdc++6-pp-gcc11 so updates from packages provided by older GCC work. Add a requires from that package to the corresponding libstc++6 package to keep those at the same version. [bsc#1196107]
• Fixed memory corruption when creating dependences with the D language frontend.
• Add gcc11-PIE, similar to gcc-PIE but affecting gcc11 [bsc#1195628]
• Put libstdc++6-pp Requires on the shared library and drop to Recommends.

This update for perl fixes the following issues:

• Fix Socket::VERSION evaluation and stabilize Socket:VERSION comparisons (bsc#1193489)

This update for tar fixes the following issues:

• CVE-2021-20193: Fixed a memory leak in read_header() in list.c (bsc#1181131).
• CVE-2019-9923: Fixed a null-pointer dereference in pax_decode_header in sparse.c (bsc#1130496).
• CVE-2018-20482: Fixed infinite read loop in sparse_dump_region in sparse.c (bsc#1120610).

• Update to GNU tar 1.34: * Fix extraction over pipe * Fix memory leak in read_header (CVE-2021-20193) (bsc#1181131) * Fix extraction when . and .. are unreadable * Gracefully handle duplicate symlinks when extracting * Re-initialize supplementary groups when switching to user privileges

• Update to GNU tar 1.33: * POSIX extended format headers do not include PID by default * --delay-directory-restore works for archives with reversed member ordering * Fix extraction of a symbolic link hardlinked to another symbolic link * Wildcards in exclude-vcs-ignore mode don't match slash * Fix the --no-overwrite-dir option * Fix handling of chained renames in incremental backups * Link counting works for file names supplied with -T * Accept only position-sensitive (file-selection) options in file list files

• prepare usrmerge (bsc#1029961)

• Update to GNU 1.32 * Fix the use of --checkpoint without explicit --checkpoint-action * Fix extraction with the -U option * Fix iconv usage on BSD-based systems * Fix possible NULL dereference (savannah bug #55369) [bsc#1130496] [CVE-2019-9923] * Improve the testsuite

• Update to GNU 1.31 * Fix heap-buffer-overrun with --one-top-level, bug introduced with the addition of that option in 1.28 * Support for zstd compression * New option '--zstd' instructs tar to use zstd as compression program. When listing, extractng and comparing, zstd compressed archives are recognized automatically. When '-a' option is in effect, zstd compression is selected if the destination archive name ends in '.zst' or '.tzst'. * The -K option interacts properly with member names given in the command line. Names of members to extract can be specified along with the '-K NAME' option. In this case, tar will extract NAME and those of named members that appear in the archive after it, which is consistent with the semantics of the option. Previous versions of tar extracted NAME, those of named members that appeared before it, and everything after it. * Fix CVE-2018-20482 - When creating archives with the --sparse option, previous versions of tar would loop endlessly if a sparse file had been truncated while being archived.

This update for gzip fixes the following issues:

• CVE-2022-1271: Fix escaping of malicious filenames. (bsc#1198062)

This update for pam fixes the following issue:

• Do not include obsolete header files (bsc#1197794)

This update for libpsl fixes the following issues:

• Fix libpsl compilation issues (bsc#1197771)

This update for grep fixes the following issues:

• Make profiling deterministic. (bsc#1040589, SLE-24115)

This update for libtirpc fixes the following issues:

• Add a check for nullpointer in check_address to prevent client from crashing (bsc#1198176)

This update for gcc11 fixes the following issues:
Update to the GCC 11.3.0 release.

• includes SLS hardening backport on x86_64. [bsc#1195283]
• includes change to adjust gnats idea of the target, fixing the build of gprbuild. [bsc#1196861]
• fixed miscompile of embedded premake in 0ad on i586. [bsc#1197065]
• use --with-cpu rather than specifying --with-arch/--with-tune
• Fix D memory corruption in -M output.
• Fix ICE in is_this_parameter with coroutines. [bsc#1193659]
• fixes issue with debug dumping together with -o /dev/null
• fixes libgccjit issue showing up in emacs build [bsc#1192951]
• Package mwaitintrin.h

This update for expat fixes the following issues:

• CVE-2022-25236: Fixed possible namespace-separator characters insertion into namespace URIs (bsc#1196025).
• Fixed a regression caused by the patch for CVE-2022-25236 (bsc#1196784).
• CVE-2022-25235: Fixed UTF-8 character validation in a certain context (bsc#1196026).
• CVE-2022-25313: Fixed stack exhaustion in build_model() via uncontrolled recursion (bsc#1196168).
• CVE-2022-25314: Fixed integer overflow in copyString (bsc#1196169).
• CVE-2022-25315: Fixed integer overflow in storeRawNames (bsc#1196171).

This update for python3 fixes the following issues:

• CVE-2015-20107: avoid command injection in the mailcap module (bsc#1198511).

This update for pcre fixes the following issues:

• CVE-2022-1586: Fixed unicode property matching issue. (bsc#1199232)

This update for glibc fixes the following issues:

• powerpc: Fix VSX register number on __strncpy_power9 (bsc#1200334)
• Disable warnings due to deprecated libselinux symbols used by nss and nscd (bsc#1197718)
• i386: Remove broken CAN_USE_REGISTER_ASM_EBP (bsc#1197718)
• rtld: Avoid using up static TLS surplus for optimizations (bsc#1200855, BZ #25051)

This update for rpm-config-SUSE fixes the following issues:

• Add SBAT values macros for other packages (bsc#1193282)

This update for permissions fixes the following issues:

• apptainer: fix starter-suid location (bsc#1198720)
• static permissions: remove deprecated bind / named chroot entries (bsc#1200747)
• postfix: add postlog setgid for maildrop binary (bsc#1201385)

This update for ncurses fixes the following issues:

• CVE-2022-29458: Fixed segfaulting out-of-bounds read in convert_strings in tinfo/read_entry.c (bsc#1198627).

This update for tar fixes the following issues:

• Fix race condition while creating intermediate subdirectories (bsc#1200657)

This update for jitterentropy fixes the following issues:
jitterentropy is included in version 3.4.0 (jsc#SLE-24941):
This is a FIPS 140-3 / NIST 800-90b compliant userspace jitter entropy generator library, used by other FIPS libraries.

This update for tar fixes the following issues:

• A regression in a previous update lead to potential deadlocks when extracting an archive. (bsc#1202436)

This update for elfutils fixes the following issues:

• Fix runtime dependency for devel package

This update for timezone fixes the following issue:

• Reflect new Chile DST change (bsc#1202310)

This update for libtirpc fixes the following issues:

• Exclude ipv6 addresses in client protocol version 2 code (bsc#1200800)
• Fix memory leak in params.r_addr assignement (bsc#1198752)

This update for icu fixes the following issues:

• CVE-2020-21913: Fixed a memory safetey issue that could lead to use after free (bsc#1193951).

This update for gcc11 ships some missing 32bit libraries for s390x. (bsc#1199140)

This update for perl fixes the following issues:

• CVE-2017-6512: Fixed File::Path rmtree/remove_tree race condition (bsc#1047178).

This update for libtirpc fixes the following issues:

• CVE-2021-46828: Fixed denial of service vulnerability with lots of connections (bsc#1201680).

This update for jitterentropy fixes the following issues:

• Hide the non-GNUC constructs that are library internal from the exported header, to make it usable in builds with strict C99 compliance. (bsc#1202870)

This update for permissions fixes the following issues:

• CVE-2022-31252: Fixed chkstat group controlled paths (bsc#1203018).

This update for expat fixes the following issues:

• CVE-2022-40674: Fixed use-after-free in the doContent function in xmlparse.c (bsc#1203438).

This update for python3 fixes the following issues:

• CVE-2021-28861: Fixed an open redirection vulnerability in the HTTP server when an URI path starts with // (bsc#1202624).

This update for aaa_base fixes the following issues:

• The wrapper rootsh is not a restricted shell. (bsc#1199492)

This update for permissions fixes the following issues:

• Fix regression introduced by backport of security fix (bsc#1203911)
• Add permissions for enlightenment helper on 32bit arches (bsc#1194047)

This update for expat fixes the following issues:
- CVE-2022-43680: Fixed use-after free caused by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate (bsc#1204708).

This update for pam fixes the following issue:

• Update pam_motd to the most current version. (PED-1712)

This update for timezone fixes the following issues:
Update timezone version from 2022a to 2022f (bsc#1177460, bsc#1204649, bsc#1205156):

• Mexico will no longer observe DST except near the US border
• Chihuahua moves to year-round -06 on 2022-10-30
• Fiji no longer observes DST
• In vanguard form, GMT is now a Zone and Etc/GMT a link
• zic now supports links to links, and vanguard form uses this
• Simplify four Ontario zones
• Fix a Y2438 bug when reading TZif data
• Enable 64-bit time_t on 32-bit glibc platforms
• Omit large-file support when no longer needed
• Jordan and Syria switch from +02/+03 with DST to year-round +03
• Palestine transitions are now Saturdays at 02:00
• Simplify three Ukraine zones into one
• Improve tzselect on intercontinental Zones
• Chile's DST is delayed by a week in September 2022 (bsc#1202324)
• Iran no longer observes DST after 2022
• Rename Europe/Kiev to Europe/Kyiv
• New `zic -R` command option
• Vanguard form now uses %z

This update for dpkg fixes the following issues:

• CVE-2022-1664: Fixed a directory traversal vulnerability in Dpkg::Source::Archive (bsc#1199944).

This update for libeconf fixes the following issues:

• Update to version 0.4.6+git - econftool: Parsing error: Reporting file and line nr. --delimeters=spaces accepting all kind of spaces for delimiter. - libeconf: Parse files correctly on space characters (1198165)

• Update to version 0.4.5+git - econftool: New call 'syntax' for checking the configuration files only. Returns an error string with line number if error. New options '--comment' and '--delimeters'

This update for gcc12 fixes the following issues:
This update ship the GCC 12 compiler suite and its base libraries.
The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP3 and SP4, and provided in the 'Development Tools' module.
The Go, D and Ada language compiler parts are available unsupported via the PackageHub repositories.
To use gcc12 compilers use:

• install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
• override your Makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

This update for python3 fixes the following issues:

• CVE-2022-37454: Fixed a buffer overflow in hashlib.sha3_* implementations. (bsc#1204577)
• CVE-2020-10735: Fixed a bug to limit amount of digits converting text to int and vice vera. (bsc#1203125)

• Fixed a crash in the garbage collection (bsc#1188607).

This update for tar fixes the following issues:

• Fix unexpected inconsistency when making directory (bsc#1203600)
• Update race condition fix (bsc#1200657)

This update for timezone fixes the following issues:
Version update from 2022f to 2022g (bsc#1177460):

• In the Mexican state of Chihuahua: * The border strip near the US will change to agree with nearby US locations on 2022-11-30. * The strip's western part, represented by Ciudad Juarez, switches from -06 all year to -07/-06 with US DST rules, like El Paso, TX. * The eastern part, represented by Ojinaga, will observe US DST next year, like Presidio, TX. * A new Zone America/Ciudad_Juarez splits from America/Ojinaga.
• Much of Greenland, represented by America/Nuuk, stops observing winter time after March 2023, so its daylight saving time becomes standard time.
• Changes for pre-1996 northern Canada
• Update to past DST transition in Colombia (1993), Singapore (1981)
• 'timegm' is now supported by default

This update for libtirpc fixes the following issues:

• Consider /proc/sys/net/ipv4/ip_local_reserved_ports, before binding to a random port (bsc#1199467)

This update for tar fixes the following issue:

• Fix hang when unpacking test tarball (bsc#1202436)

This update for tar fixes the following issues:

• CVE-2022-48303: Fixed a one-byte out-of-bounds read that resulted in use of uninitialized memory for a conditional jump (bsc#1207753).

• Fix hang when unpacking test tarball (bsc#1202436).

This update for python3 fixes the following issues:
- CVE-2022-45061: Fixed DoS when IDNA decodes extremely long domain names (bsc#1205244).
Bugfixes:
- Fixed issue where email.generator.py replaces a non-existent header (bsc#1208443).

This update for libxslt fixes the following issues:

• CVE-2021-30560: Fixing a use after free vulnerability in Blink XSLT (bsc#1208574).

This update for jitterentropy fixes the following issues:

• build jitterentropy library with debuginfo (bsc#1207789)

This update for gcc12 fixes the following issues:
This update ships gcc12 also to the SUSE Linux Enterprise 15 SP1 LTSS and 15 SP2 LTSS products.
SUSE Linux Enterprise 15 SP3 and SP4 get only refreshed builds without changes

This update ship the GCC 12 compiler suite and its base libraries.
The compiler baselibraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 11 ones.
The new compilers for C, C++, and Fortran are provided in the SUSE Linux Enterprise Module for Development Tools.
To use gcc12 compilers use:

• install 'gcc12' or 'gcc12-c++' or one of the other 'gcc12-COMPILER' frontend packages.
• override your makefile to use CC=gcc12, CXX=g++12 and similar overrides for the other languages.

This update for python3 fixes the following issues:

• CVE-2023-24329: Fixed a blocklist bypass via the urllib.parse component when supplying a URL that starts with blank characters (bsc#1208471).

• Eliminate unnecessary and dangerous calls to PyThread_exit_thread() (bsc#1203355).

This update for timezone fixes the following issues:

• Version update from 2022g to 2023c: * Egypt now uses DST again, from April through October. * This year Morocco springs forward April 23, not April 30. * Palestine delays the start of DST this year. * Much of Greenland still uses DST from 2024 on. * America/Yellowknife now links to America/Edmonton. * tzselect can now use current time to help infer timezone. * The code now defaults to C99 or later.

This update for ncurses fixes the following issues:

• CVE-2023-29491: Fixed memory corruption issues when processing malformed terminfo data (bsc#1210434).

This update for python3 fixes the following issues:

• CVE-2007-4559: Fixed filter for tarfile.extractall (bsc#1203750).

• Fixed unittest.mock.patch.dict returns function when applied to coroutines (bsc#1211158).

This update for gcc12 fixes the following issues:

• Update to GCC 12.3 release, 0c61aa720e62f1baf0bfd178e283, git1204

• Speed up builds with --enable-link-serialization.

• Update embedded newlib to version 4.2.0

This update for libcap fixes the following issues:

• CVE-2023-2602: Fixed improper memory release in libcap/psx/psx.c:__wrap_pthread_create() (bsc#1211418).
• CVE-2023-2603: Fixed an integer overflow or wraparound in libcap/cap_alloc.c:_libcap_strdup() (bsc#1211419).

This update for libxml2 fixes the following issues:

• Build also for modern python version (jsc#PED-68)

This update for audit fixes the following issues:

• Check for AF_UNIX unnamed sockets (bsc#1210004)
• Enable livepatching on main library on x86_64

This update for perl fixes the following issues:

- CVE-2023-31484: Enable TLS cert verification in CPAN (bsc#1210999).

This update for libxml2 fixes the following issues:

• Build also for modern python version (jsc#PED-68)

This update for audit fixes the following issues:

• Create symbolic link from /sbin/audisp-syslog to /usr/sbin/audisp-syslog (bsc#1201519)
• Fix rules not loaded when restarting auditd.service (bsc#1204844)

This update for icu fixes the following issues:

• Japanese era Reiwa (bsc#1112183, bsc#1103893, fate570, fate#325570, fate#325419)

This update for sysuser-tools fixes the following issues:

• Update to version 3.2
• Always create a system group of the same name as the system user (bsc#1205161, bsc#1207778, bsc#1213240)
• Add 'quilt setup' friendly hint to %sysusers_requires usage
• Use append so if a pre file already exists it isn't overridden
• Invoke bash for bash scripts (bsc#1195391)
• Remove all systemd requires not supported on SLE15 (bsc#1214140)

This update for gcc12 fixes the following issues:

• CVE-2023-4039: Fixed incorrect stack protector for C99 VLAs on Aarch64 (bsc#1214052).

This update for libxml2 fixes the following issues:

• CVE-2023-39615: Fixed crafted xml can cause global buffer overflow (bsc#1214768).

This update for python3 fixes the following issues:

• CVE-2023-40217: Fixed TLS handshake bypass on closed sockets (bsc#1214692).

This update for libeconf fixes the following issues:
Update to version 0.5.2.

• CVE-2023-30078, CVE-2023-32181: Fixed a stack-buffer-overflow vulnerability in 'econf_writeFile' function (bsc#1211078).
• CVE-2023-30079, CVE-2023-22652: Fixed a stack-buffer-overflow vulnerability in 'read_file' function. (bsc#1211078)

This update for aaa_base fixes the following issues:

• Respect /etc/update-alternatives/java when setting JAVA_HOME (bsc#1215434,bsc#1107342)

This update for gcc13 fixes the following issues:
This update ship the GCC 13.2 compiler suite and its base libraries.
The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.
The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories.
To use gcc13 compilers use:

• install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
• override your Makefile to use CC=gcc13, CXX=g++13 and similar overrides for the other languages.

• CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052)

• Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

• Also handle -static-pie in the default-PIE specs
• Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101]
• Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427]
• Add new x86-related intrinsics (amxcomplexintrin.h).
• RISC-V: Add support for inlining subword atomic operations
• Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver.
• Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC.
• Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing.
• Bump included newlib to version 4.3.0.
• Also package libhwasan_preinit.o on aarch64.
• Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite.
• Package libhwasan_preinit.o on x86_64.
• Fixed unwinding on aarch64 with pointer signing. [bsc#1206684]
• Enable PRU flavour for gcc13
• update floatn fixinclude pickup to check each header separately (bsc#1206480)
• Redo floatn fixinclude pick-up to simply keep what is there.
• Bump libgo SONAME to libgo22.
• Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers.
• Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15.
• Depend on at least LLVM 13 for GCN cross compiler.
• Update embedded newlib to version 4.2.0
• Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build.

This update for zlib fixes the following issues:

• CVE-2023-45853: Fixed an integer overflow that would lead to a buffer overflow in the minizip subcomponent (bsc#1216378).

This Update for libtirpc to 1.3.4, fixing the following issues: Update to 1.3.4 (bsc#1199467)
* binddynport.c honor ip_local_reserved_ports - replaces: binddynport-honor-ip_local_reserved_ports.patch * gss-api: expose gss major/minor error in authgss_refresh() * rpcb_clnt.c: Eliminate double frees in delete_cache() * rpcb_clnt.c: memory leak in destroy_addr * portmapper: allow TCP-only portmapper * getnetconfigent: avoid potential DoS issue by removing unnecessary sleep * clnt_raw.c: fix a possible null pointer dereference * bindresvport.c: fix a potential resource leakage
Update to 1.3.3:

• Fix DoS vulnerability in libtirpc - replaces: 0001-Fix-DoS-vulnerability-in-libtirpc.patch
• _rpc_dtablesize: use portable system call
• libtirpc: Fix use-after-free accessing the error number
• Fix potential memory leak of parms.r_addr - replaces 0001-fix-parms.r_addr-memory-leak.patch
• rpcb_clnt.c add mechanism to try v2 protocol first - preplaces: 0001-rpcb_clnt.c-config-to-try-protocolversion-2-first.patch
• Eliminate deadlocks in connects with an MT environment
• clnt_dg_freeres() uncleared set active state may deadlock
• thread safe clnt destruction
• SUNRPC: mutexed access blacklist_read state variable
• SUNRPC: MT-safe overhaul of address cache management in rpcb_clnt.c

• Replace the final SunRPC licenses with BSD licenses
• blacklist: Add a few more well known ports
• libtirpc: disallow calling auth_refresh from clnt_call with RPCSEC_GSS

• Remove AUTH_DES interfaces from auth_des.h The unsupported AUTH_DES authentication has be compiled out since commit d918e41d889 (Wed Oct 9 2019) replaced by API routines that return errors.
• svc_dg: Free xp_netid during destroy
• Fix memory management issues of fd locks
• libtirpc: replace array with list for per-fd locks
• __svc_vc_dodestroy: fix double free of xp_ltaddr.buf
• __rpc_dtbsize: rlim_cur instead of rlim_max
• pkg-config: use the correct replacements for libdir/includedir

This update for gcc13 fixes the following issues:
This update ship the GCC 13.2 compiler suite and its base libraries.
The compiler base libraries are provided for all SUSE Linux Enterprise 15 versions and replace the same named GCC 12 ones.
The new compilers for C, C++, and Fortran are provided for SUSE Linux Enterprise 15 SP4 and SP5, and provided in the 'Development Tools' module.
The Go, D, Ada and Modula 2 language compiler parts are available unsupported via the PackageHub repositories.
To use gcc13 compilers use:

• install 'gcc13' or 'gcc13-c++' or one of the other 'gcc13-COMPILER' frontend packages.
• override your Makefile to use CC=gcc-13, CXX=g++-13 and similar overrides for the other languages.

• CVE-2023-4039: Fixed -fstack-protector issues on aarch64 with variable length stack allocations. (bsc#1214052)

• Work around third party app crash during C++ standard library initialization. [bsc#1216664]
• Fixed that GCC13 fails to compile some packages with error: unrecognizable insn (bsc#1215427)
• Bump included newlib to version 4.3.0.
• Update to GCC trunk head (r13-5254-g05b9868b182bb9)
• Redo floatn fixinclude pick-up to simply keep what is there.
• Turn cross compiler to s390x to a glibc cross. [bsc#1214460]

• Also handle -static-pie in the default-PIE specs
• Fixed missed optimization in Skia resulting in Firefox crashes when building with LTO. [bsc#1212101]
• Make libstdc++6-devel packages own their directories since they can be installed standalone. [bsc#1211427]
• Add new x86-related intrinsics (amxcomplexintrin.h).
• RISC-V: Add support for inlining subword atomic operations
• Use --enable-link-serialization rather that --enable-link-mutex, the benefit of the former one is that the linker jobs are not holding tokens of the make's jobserver.
• Add cross-bpf packages. See https://gcc.gnu.org/wiki/BPFBackEnd for the general state of BPF with GCC.
• Add bootstrap conditional to allow --without=bootstrap to be specified to speed up local builds for testing.
• Bump included newlib to version 4.3.0.
• Also package libhwasan_preinit.o on aarch64.
• Configure external timezone database provided by the timezone package. Make libstdc++6 recommend timezone to get a fully working std::chrono. Install timezone when running the testsuite.
• Package libhwasan_preinit.o on x86_64.
• Fixed unwinding on aarch64 with pointer signing. [bsc#1206684]
• Enable PRU flavour for gcc13
• update floatn fixinclude pickup to check each header separately (bsc#1206480)
• Redo floatn fixinclude pick-up to simply keep what is there.
• Bump libgo SONAME to libgo22.
• Do not package libhwasan for biarch (32-bit architecture) as the extension depends on 64-bit pointers.
• Adjust floatn fixincludes guard to work with SLE12 and earlier SLE15.
• Depend on at least LLVM 13 for GCN cross compiler.
• Update embedded newlib to version 4.2.0
• Allow cross-pru-gcc12-bootstrap for armv7l architecture. PRU architecture is used for real-time MCUs embedded into TI armv7l and aarch64 SoCs. We need to have cross-pru-gcc12 for armv7l in order to build both host applications and PRU firmware during the same build.

This update for libxml2 fixes the following issues:

• CVE-2023-45322: Fixed a use-after-free in xmlUnlinkNode() in tree.c (bsc#1216129).

This update of icu fixes the following issue:

• missing 32bit libraries in SLES 15 SP3 were added, required by xerces-c 32bit.

This update of man fixes the following problem:

• The 'man' commands is delivered to SUSE Linux Enterprise Micro to allow browsing man pages.

This update for libtirpc fixes the following issue:

• fix sed parsing in specfile (bsc#1216862)

This update for ncurses fixes the following issues:

• CVE-2023-50495: Fixed a segmentation fault via _nc_wrap_entry() (bsc#1218014)
• Modify reset command to avoid altering clocal if the terminal uses a modem (bsc#1201384)

This update for libxcrypt fixes the following issues:

• fix variable name for datamember [bsc#1215496]
• added patches fix https://github.com/besser82/libxcrypt/commit/b212d601549a0fc84cbbcaf21b931f903787d7e2

This update for tar fixes the following issues:

• CVE-2023-39804: Fixed extension attributes in PAX archives incorrect hanling (bsc#1217969).

This update for pam fixes the following issues:

• CVE-2024-22365: Fixed a local denial of service during PAM login due to a missing check during path manipulation (bsc#1218475).
• Check localtime_r() return value to fix crashing (bsc#1217000)

This update for cpio fixes the following issues:

• CVE-2023-7207: Fixed a path traversal issue that could lead to an arbitrary file write during archive extraction (bsc#1218571).

This update for aaa_base fixes the following issues:

• Set JAVA_HOME correctly (bsc#1107342, bsc#1215434)

This update for libxml2 fixes the following issues:

• CVE-2024-25062: Fixed use-after-free in XMLReader (bsc#1219576).

This update for python3 fixes the following issues:

• CVE-2023-27043: Fixed incorrectly parses e-mail addresses which contain a special character (bsc#1210638).

This update for cpio fixes the following issues:

• Fixed cpio not extracting correctly when using --no-absolute-filenames option the security fix for CVE-2023-7207 (bsc#1218571, bsc#1219238)